Secure HIPAA Compliant E-mail: 5 Common Myths & Facts

Every day I field questions about HIPAA compliant e-mail, and many days I see or hear something that leads healthcare organizations and their business associates in the wrong direction.

These Myths and Facts can help you make the right e-mail decisions. I have included links to give you more details and so you can see the official information yourself.

MYTH – All e-mail systems are HIPAA compliant.

FACT— FALSE. Free web mail services like Gmail, Yahoo! Mail, Hotmail, and those provided by an Internet Service Provider are not secure and no electronic Protected Health Information (ePHI) should be sent through these systems, either in messages or attachments.

This can be confusing, because mail providers offer both free and paid services. Google, for example, offers free Gmail, which is not secure, and for which Google will n

ot sign a HIPAA Business Associate Agreement. The Terms of Use for free G-mail include allowing Google to “use…reproduce… communicate, publish…publicly display and distribute” e-mail messages. Google also offers G-Suite, a paid, business-class set of tools, that include e-mail. G-Suite’s security and terms of service are different from free G-mail, and Google will sign a Business Associate Agreement for G-Suite.

Free e-mail can be very expensive. In 2012, an Arizona medical practice paid a $ 100,000 penalty for sending mail from an Internet-based e-mail account. They also used a publicly-accessible online calendar for patient scheduling. In 2016, a health care provider paid $ 2.7 million, partly for sharing patient information on a cloud service without having first signed a Business Associate Agreement.

There are HIPAA compliant e-mail systems that use secure mail servers, and solutions that allow you to encrypt messages you can send to anyone. Some cloud-based solutions are secure and the providers will sign Business Associate Agreements which makes your relationship HIPAA compliant.

If your practice, or even just a doctor, is using a free web mail service to communicate patient information, STOP NOW, because every message you send is a HIPAA violation – sharing information with a cloud service in the absence of a Business Associate Agreement. To get the right solution, talk to a certified IT professional who understands HIPAA. Check out the 4Med Pro Network if you want one that specializes in healthcare.

MYTH— Any e-mail message containing patient data must be encrypted.

FACT – FALSE.  E-mail sent desk-to-desk within your organization, using a secure server on a secure network, does not have to be encrypted. E-mail going to a remote office on your wide area network should be protected by encryption used to set up the secure VPN ‘tunnels’ through the Internet between locations. You can also use dedicated secure circuits that do not go through the Internet. Never send unencrypted e-mail containing patient information to a doctor, any member of your workforce, or a Business Associate, at their personal or business address outside of your network.

MYTH— I cannot send a patient their medical information if they use a free web mail service.

FACT – FALSE. You can, based on 2013 guidance from the US Department of Health & Human Services.  As long as you are using a secure e-mail system on your end, the HIPAA Omnibus Rule released in 2013 says that if a patient asks you to send them information at an unsecure system, like Gmail, Yahoo! Mail, Hotmail (or similar) account, (a) you should inform them that their system is not secure, and (b) ask if they still want the information sent to them. If they say yes, it is HIPAA-compliant to send their records to an unsecure e-mail address if you document your conversation and their approval.

In March, 2018, Roger Severino, the Director of the OCR, said that sending ePHI to patients via unsecure text messaging, at their request, can be handled the same way.

FROM THE HIPAA OMNIBUS FINAL RULE (page 5634) —  We clarify that covered entities are permitted to send individuals unencrypted emails if they have advised the individual of the risk, and the individual still prefers the unencrypted email… If individuals are notified of the risks and still prefer unencrypted email, the individual has the right to receive protected health information in that way, and covered entities are not responsible for unauthorized access of protected health information while in transmission to the individual based on the individual’s request. Further, covered entities are not responsible for safeguarding information once delivered to the individual.


  1. Make an e-mail authorization part of your new patient forms packet, or have forms in your waiting areas for patients to complete and have added to their records. Have your attorney draft a simple release, make the patient print their e-mail address, and then sign the authorization. This way, you get the patient to clearly write their e-mail address, which reduces the likelihood that you will send their Protected Health Information to someone else. (If that happens you just committed a breach.)
  2. If a patient calls to ask for their records to be sent to them through e-mail, after you verify their identity, ask them to send you an e-mail message so you can make sure you get their e-mail address correct. This reduces the likelihood of a mistake.
  3. The 2013 HIPAA Omnibus Final Rule limited the fees you can charge patients for their records to just recovering your ‘actual costs’ of copying, media (like CD’s or flash drives), and postage. Because this caused confusion, in 2016 the OCR issued guidance allowing an option to charge a Flat Fee of $ 6.50 instead of going through a thorough and accurate cost analysis.

Beware of state laws that have different limits. For example, Florida limits the fee for hospitals providing patients with ‘non-paper records’ to just $ 2. Check your state’s fee structure. Whichever is better for the patient (the lowest amount of the flat $ 6.50 fee, your calculated ‘actual cost’, or a state-authorized fee), is what you must do. And, you can’t charge a different amount based on why the patient wants their records, like asking if they are for their own personal use or if they will share them with their attorney.

Remember, this only applies to patients, not providers. Never e-mail unencrypted ePHI to providers outside of your secure network.

MYTH— I only have to worry about written e-mails and documents.

FACT. FALSE. In today’s world, many types of information link to e-mail systems. You can scan documents and send them from your copier to an e-mail address. Faxes are converted from paper to e-mails. Dictation and telephone voice messages are converted into e-mails. HIPAA protects any electronic file containing ePHI—written, image (like a scanned image, fax, x-ray, or MRI) or voice message, and these should be encrypted before sending outside your organization.

MYTH— All e-mail that is at rest (stored on a computer) must be encrypted.

FACT – FALSE. While two HIPAA sections (45 CFR § 164.312(a)(2)(iv) and (e)(2)(ii))say that data must be encrypted, this requirement is Addressable and not required. Addressable Does Not Mean Optional. If you choose not to encrypt data, you must document why it is not reasonable to implement encryption, then implement an equivalent alternative. Organizations have paid millions of dollars when their ‘equivalent alternative’ to encryption, which they claimed was increased physical security protecting devices against theft, failed. A health system paid $ 5.5 million after unencrypted computers were stolen.

The best reason to encrypt is that if a device containing ePHI is encrypted and is lost, you don’t have to report it.

Don’t think that the only computers that are stolen are laptops and portable devices. The HIPAA ‘Wall of Shame’ listing data breaches lists a lot of servers listed that were stolen from medical offices. If you really want to protect the data and protect your organization from fines and embarrassment, every device you own that stores patient data should be encrypted, even though it is not required.

Author: Mike Semel

Mike Semel of Semel Consulting authored the 4Medapproved Certified HIPAA Security Professional (CHSP) course for compliance officers, has been the Chief Information Officer for a hospital (Covered Entity) and has provided IT support for healthcare providers (as a Business Associate) for many years. Mike is a noted speaker, blogger, writer, and is the best-selling author of How to Avoid HIPAA Headaches, Lessons from Avoidable, Expensive, Embarrassing, and Career-Killing HIPAA Penalties and Data Breaches. Mike offers a 20% course discount to readers of his blog posts using code SEMEL20 at checkout at